New Android Malware Goes After Facebook Mobile Users, Bypasses Two-Factor Authentication

Security is a hot button topic right now, and with good reason. With government agencies trying to scoop your data just as much as the cyber criminals we’re all told keep sniffing our credit card details, gone are the days of simply burying our heads in the sand and hoping it’ll all be OK.

If you’re the owner of an Android smartphone or tablet, then malware is a very real concern for you already, but the latest news coming out of security researchers ESET is that Android devices are currently being targeted by a trojan that appears to be hell-bent on potentially bypassing Facebook’s two-factor authentication system – the very system that was put in place to try and make Facebook accounts more secure.

According to the information currently available, a trojan called Qadars injects JavaScript into Facebook Web pages when opened in a browser on an infected Android device. This then displays a message that misleads users into installing malware that is capable of grabbing hold of codes received via SMS – just like the ones we receive as part of Facebook’s two-factor authentication system. Users are tricked by the claim that Facebook has introduced increased security that requires the installation of an app. That app, of course, is malware.

“Due to a rising number of attempts in order to gain unlawful access to the personal information of our users and to prevent corrupted page data to spread Facebook administration introduces new extra safety protection system.”

In reality, Facebook isn’t the only company that uses such a system, with Google, Dropbox and even banks also taking to SMS in order to try and make their systems more secure. It’s entirely possible that this malware, called iBanking, could be on the lookout for just about anything.


There’s no indication yet about how widespread this particular malware has become, but with the number of Facebook numbers constantly increasing and Android being so popular worldwide, the potential is frightening. As always we’d just say to be vigilant, and if anything’s asking for full administrator privileges, it’s probably best not to grant them until you’re 100% sure it’s all above board.

(Source: ESET)

You may also like to check out:

You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the Web.